Search squid archive

Re: No valid signing SSL certificate configured for HTTPS_port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2016-11-05 21:24, Konrad Kaluszynski wrote:
Hi All,

My goal is to configure a reverse proxy for Outlook Anywhere clients
using squid.
http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc

This will replace existing TMG that my client is currently using.

However, when I run squid I get an error  "No valid signing SSL
certificate configured for HTTPS_port".

Before, I was able to get OWA and HTTPS traffic using NGINX as reverse
proxy but was getting connection errors when trying to use
OutlookAnywhere.

So now I have been testing Squid but cannot get past the certificate
installation which was painless under Nginx.

Configuration is based on an article below:

https://sysadminfixes.wordpress.com/2013/01/25/exchanging-squids/

I have been trying for several days now without much success to
configure SSL certificate on my squid server.

Getting the " ...no valid signing certificate" every time.

I found few posts saying that it was not possible to use SSL
certificates signed by public CA and self-signed certs must be used.

Can anyone confirm if this is a case?

Logs and config files below.

My domain name has been replaced with _contoso.com [1]_ for
confidentiality sake.

squid server- srv-_squid.contoso.com [2]_ / 3.3.3.201

uname -a
Linux srv-squid 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

exchange server - exch.contoso.com [3] / 10.2.2.30

SSL certificate:

obtained from StartSSL for mail.contoso.com [4]

SQUID.CONF

#### START

visible_hostname mail.contoso.com [4]
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h"
"%{User-Agent}>h" %Ss:%Sh ###this causes an error
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log none
cache_mgr nomail_address_given
forwarded_for transparent
### ignore_expect_100 ## not available in version 3.5
ssl_unclean_shutdown on
### The most important line
 ### "cert" should contain Exchange certificate and key
 ### "sslproxy_cafile" contains CA of root servers - StartSSL ?!
https_port mail.contoso.com:443 [5] accel
cert=/home/kk/ssl/cert-mail/mail.contoso.com.pem
defaultsite=mail.contoso.com [4]
key=/home/kk/ssl/cert-mail/mail.contoso.com.key

cache_peer exch.kk1.tech parent 443 0 proxy-only no-digest no-query
originserver front-end-https=on login=PASS sslflags=DONT_VERIFY_PEER
connection-auth=on name=Exchange

acl exch_url url_regex -i mail.contoso.com/owa [6]
acl exch_url url_regex -i mail.contoso.com/microsoft-server-activesync
[7]
acl exch_url url_regex -i mail.contoso.com/rpc [8]

cache_peer_access Exchange allow exch_url
cache_peer_access Exchange deny all
never_direct allow exch_url
http_access allow exch_url
http_access deny all
miss_access allow exch_url
miss_access deny all
deny_info https://mail.contoso.com/owa all

###END

ERROR

cache.log
2016/11/05 08:52:13| storeDirWriteCleanLogs: Starting...
2016/11/05 08:52:13|   Finished.  Wrote 0 entries.
2016/11/05 08:52:13|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: No valid signing SSL certificate configured for HTTPS_port
3.3.3.201:443 [9]
Squid Cache (Version 3.5.22): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
Maximum Resident Size: 46624 KB
Page faults with physical i/o: 0

SQUID - compiled from sources

squid -v

Squid Cache: Version 3.5.22
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=/lib/squid3' '--srcdir=.' '--datadir=/share/squid3'
'--sysconfdir=/etc/squid3' '--with-logdir=/var/log'
'--with-pidfile=/var/run/squid3.pid' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=' '--enable-arp-acl' '--enable-esi'
'--enable-ssl' '--enable-zph-qos' '--enable-wccpv2'
'--disable-translation' '--with-logdir=/var/log/squid3'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--with-ssl' '--disable-ipv6'
'--with-openssl' --enable-ltdl-convenience

Appreciate any feedback

Cheers

Konrad



Links:
------
[1] http://contoso.com
[2] http://squid.contoso.com
[3] http://exch.contoso.com
[4] http://mail.contoso.com
[5] http://mail.contoso.com:443
[6] http://mail.contoso.com/owa
[7] http://mail.contoso.com/microsoft-server-activesync
[8] http://mail.contoso.com/rpc
[9] http://3.3.3.201:443

Hi,

Sorry, if my questions would appear naive, but:

1. Does your certificate signed by StartSSL CA (/home/kk/ssl/cert-mail/mail.contoso.com.pem) corresponds to your private key (/home/kk/ssl/cert-mail/mail.contoso.com.key)?

2. Does user 'proxy' (--with-default-user=proxy) have access rights to keys?


Garri
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux